Computer forensics

DEFINITION: Forensic specialty that applies science to the acquisition and analysis of electronic data from computers, other digital devices, and the Internet to assist in civil and criminal investigations.

SIGNIFICANCE: Every use of a computer or other digital device is recorded, leaving a digital trail of evidence. Because computer crimes as well as physical crimes—and the criminals who commit them—often leave trails of electronic evidence, computer forensics has come to play an increasingly prominent role in law enforcement, crime investigations, civil cases, and homeland security.

Beginning in 1991, when the World Wide Web was developed, rapid growth was seen in personal, professional, and criminal uses of the Internet—through e-mail, instant messaging, online chat rooms, social networking websites, web logs, and more—and of networked computers and cellular devices. Computers and digital communication devices create and store huge amounts of details in their memory or log files. When computer files are saved, sent, or downloaded, the computer’s operating system and other software automatically record and store this information. The records and files stored on computers and other digital devices can be used as evidence to support or defend against allegations of wrongdoing.

Rarely are computer users aware that their activities have left multiple trails of evidence, and many may not even attempt to purge those trails regardless of how incriminating they are. Even technology-savvy users who want their activities to go undetected may not be able to delete or disguise all their trails of evidence completely. Often it is impossible to delete all traces of electronic evidence. The work of computer forensic investigators involves finding, analyzing, and preserving relevant digital files or data for use as electronic evidence.

According to the rules of evidence, the three primary types of evidence presented in legal proceedings are the testimony of witnesses, physical evidence, and electronic evidence. The newest of these is electronic evidence. Common types of electronic evidence are the contents of e-mail and instant messages and chat-room conversations, records of websites visited, downloaded and uploaded files, word-processing documents, spreadsheets, digital pictures, Global Positioning System (GPS) records, and data from personal digital assistants (PDAs). Investigations of computer crimes, identity theft, computer hacking and viruses, electronic espionage, and cyberterrorism require computer forensic technical and investigative skills and tools because of the digital or electronic nature of the evidence.

The thorough investigation and unbiased analysis of electronic evidence requires specialized computer forensics tools used by experts who understand both computer technologies and legal procedures. It may seem that because electronic evidence falls into the category of hearsay, which is secondhand evidence, it would not be admissible in court, but electronic evidence is one of the exceptions to the hearsay rule. It is considered reliable provided that it is handled properly.

Principles of Computer Forensics

A computer forensics investigation uses science and technology to acquire and examine electronic data in order to develop and test theories that can be entered into a court of law to answer questions about events that have occurred. Generally accepted computer forensics principles have been established to ensure that the chain of custody of the evidence can be verified later in court or other legal proceedings. Like physical evidence, electronic evidence can be easily contaminated if investigators ignore the forensic science principle of “do no harm.” The crime scene, which is the state of the computer, must be preserved to protect the integrity of the evidence; simply turning on a computer and searching through the files can alter those files and the computer’s records.

Forensic investigators are aware that they will need to defend their findings. Their electronic evidence-processing methods, tools, and techniques may be challenged rigorously by the opposing side in a court case. Documentation is important so that investigators can refresh their memories about the steps taken and duplicate the results of processing if necessary. Investigators must thus follow rigorous processes and procedures in the acquisition, authentication, analysis, and interpretation of electronic evidence.

The first step in any computer forensics investigation is acquisition of the evidence through the careful collection and preservation of the original files on a hard drive (or other storage device); this is accomplished through the creation of an exact bit-stream duplicate copy of the entire hard drive using computer forensics software, such as Forensic Toolkit (FTK) or EnCase, that is recognized by the courts as acceptable for verifying evidence. This duplicate, which is referred to as the mirror image or drive image, is used for the analysis; the original evidence is used only in extreme situations. Making a mirror image of a hard drive is simple in theory, but the accuracy of the image must meet evidence standards. To guarantee accuracy, imaging programs rely on mathematical cyclic redundancy check (CRC) computations to validate that the copies made are exactly the same as the originals. CRC validation processes compare the bit stream of the original source data with the bit stream of the acquired data. Some cases may involve significant work recovering files that have been deleted; examiners use special tools and software to reconstruct otherwise lost information.

The second step in the computer forensics investigation is authentication of the mirror image, or verification that the copy is identical to the original or source. Evidence verification depends not only on the use of the proper software and hardware tools but also on the equipment, environment, and documentation of the steps taken during evidence processing. At a minimum, preservation of the chain of custody for electronic evidence requires proving that no information was added, deleted, or altered in the copying process or during analysis, that a complete mirror image copy was made and verified, that a reliable copying process was used, and that all data that should have been copied were copied. This is accomplished when the mirror image is “fingerprinted” using an encryption technique called hashing. Hashing ensures the integrity of the file because it makes any modification of the data detectable, such as the use of steganography.

The third and often most extensive step in the investigation is the technical analysis and evaluation of the evidence, which must be done is a manner that is fair and impartial to the person or persons being investigated. Investigators evaluate what could have happened as well as what could not have happened. The key to effective electronic evidence searches is careful preparation. Poor preparation during the early stages of an investigation can lead to failures in prosecution, as information can be ignored, destroyed, or compromised. Experienced computer forensics examiners are skilled in formulating search strategies that are likely to find relevant revealing data. Analyses are more productive when examiners have some sense of what they are seeking before they begin their searches. For example, if the focus is on documents, the investigators need to know names, key words, or parts of words that are likely to be found within those documents. If the issue is trade secrets, it is helpful for the examiners to know which search terms are uniquely associated with the proprietary data. If the focus is child pornography, website addresses uniquely associated with prohibited content are valuable.

The final steps are the interpretation and reporting of the results. Examiners’ conclusions must be accurate, complete, and usable in legal proceedings. Explaining the findings of computer forensic investigations in court can be difficult, especially when the evidence must be presented to persons with little technical knowledge. The value of the evidence ultimately depends on the way it is presented and defended in court. Because of the complexity of many of the tools involved in computer forensics, investigators must be trained and certified in their use. General training and certifications are also available for computer forensics investigators.

Regional Computer Forensics Labs

In 1999, the Federal Bureau of Investigation (FBI) launched an innovative pilot program in San Diego, California. The Regional Computer Forensics Laboratory (RCFL) program was designed to help state, local, and other federal law enforcement gather electronic evidence from computers, PDAs, cell phones, digital cameras, and other digital devices. The FBI undertook the project because computer forensics was one of the fastest-growing disciplines within law enforcement, and the RCFL program quickly became a dynamic tool for fighting crime and terrorism. By 2007, the RCFL program had evolved into a network of cutting-edge electronic evidence labs created to meet a rapidly increasing need. The RFCLs have supported high-profile investigations such as the Enron case, the bribery case against former California congressman Randy “Duke” Cunningham, the public corruption case against former Illinois governor George Ryan, and the dissolution of an international child pornography ring. Another prominent case involving testimony from a computer forensics expert was the trial of Dr. Conrad Murray regarding the death of singer Michael Jackson, in which Murray's smartphone and emails were held as evidence. In 2016, cybersecurity firms were brought in to use computer forensics in the high-profile investigation to help determine whether Russia was involved in hacking the computer system of the Democratic National Committee (DNC) during the presidential election. In 2023, more than fifteen thousand emails and documents were entered as evidence in Fulton County, Georgia, in the racketeering case against former president Donald Trump and others, including his former campaign attorney, Sidney Powell.

Each RCFL is a full-service forensics laboratory and training center devoted to the examination of electronic evidence in support of criminal investigations, including terrorism, child pornography, crimes of violence, the theft or destruction of intellectual property, Internet crimes, and fraud. In 2006 alone the RCFLs, which are staffed by trained computer analysts from the FBI and more than one hundred other agencies, collectively analyzed almost sixty thousand media items, including CDs, cell phones, hard drives, and PDAs. During 2006, requests for assistance on computer crimes, which included child pornography and other violent acts against children, were the most frequent kinds of requests in eleven of fourteen RCFLs, followed by violent crimes, major thefts, and white-collar crimes. By 2012 the RCFL had expanded to sixteen laboratories and continued to grow; it processed 5,986 terabytes of data that year, up 40 percent from only one year before. Its examiners provided expert testimony on 101 occasions in court or at hearings in 2012. The increasing sophistication of digital forensics tools and methods, as well as the growing public and criminal use of computers and other technology, helped drive this growth. By 2014, RCFLs had continued receiving accreditation as well as requests for services from a large number of agencies; that year, RCFLs received almost seven thousand requests for assistance and had once again processed more than five thousand terabytes for examinations and searches. Additionally, RCFL examiners testified in court hearings more than eighty times in 2014 alone. In 2019, the RCFL trained 3,652 law enforcement officers in using digital forensic tools and techniques and added a new site in Boston, Massachusetts, bringing the total to seventeen.

The agency also developed self-service kiosks that provide investigators with the equipment for analyzing the contents of cell phones and other portable media without having to first formally submit evidence to the RCFL. If suspicious information is found, a full forensic investigation can then be carried out with the cooperation of RCFL examiners. This allows more efficient processing of evidence as the amount of cases involving cell phone and other digital data increases exponentially.

Bibliography

Carrier, Brian. File System Forensic Analysis. Addison-Wesley, 2005.

"Computer Forensic Expert Testifies in Murray Trial." CBS Los Angeles. CBS Local Media, 5 Oct. 2011, losangeles.cbslocal.com/2011/10/05/detectives-investigators-to-testify-in-conrad-murray-trial/. Accessed 12 Mar. 2015.

Kipper, Gregory. Wireless Crime and Forensic Investigation. Auerbach, 2007.

Regional Computer Forensics Laboratory Annual Report for Fiscal Year 2019. US Department of Justice / Federal Bureau of Investigations / Regional Computer Forensics Laboratory. Regional Computer Forensics Laboratory, www.rcfl.gov/file-repository/fiscal-year-2019.pdf/view. Accessed 14 Aug. 2024.

Sheetz, Michael. Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers. Wiley, 2007.

Steel, Chad. Windows Forensics: The Field Guide for Corporate Computer Investigations. Wiley, 2006.

Valencia, Nick, Jason Morris, and Zachary Cohen. "New Trove of Emails and Documents Turned Over to Prosecutors in Georgia Election Subversion Case." CNN, 17 Oct. 2023, www.cnn.com/2023/10/17/politics/fulton-county-documents-georgia-election-case-trump/index.html. Accessed 14 Aug. 2024.

Volonino, Linda, et al. Computer Forensics: Principles and Practice. Prentice, 2007.